{
	"id": "ab6f6ae5-773f-4672-ac63-d150eddd1abd",
	"created_at": "2026-04-06T00:16:13.074294Z",
	"updated_at": "2026-04-10T03:21:30.908895Z",
	"deleted_at": null,
	"sha1_hash": "55d358d1997b81dc2b2545d7857539d4a4446dbc",
	"title": "LevelBlue - Open Threat Exchange",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 288339,
	"plain_text": "LevelBlue - Open Threat Exchange\r\nBy CODERED_VTA\r\nArchived: 2026-04-02 11:41:38 UTC\r\n54 Subscribers\r\nPhorpiex - Downloader Delivering Ransomware\r\nCVE: 1 | FileHash-MD5: 6 | FileHash-SHA1: 6 | FileHash-SHA256: 7 | URL: 5 | Domain: 1 | Email: 2\r\nA report by Cybereason Security Services looks at the connection between the LockBit ransomware group and the\r\nPhorpiex botnet, a notorious cybercrime group that has been active since 2010.\r\n840 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:GandCrab\r\nPage 1 of 10\n\n258 Subscribers\r\nAuthor Url\r\nPhorpiex - Downloader Delivering Ransomware\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:GandCrab\r\nPage 2 of 10\n\nFileHash-MD5: 5 | FileHash-SHA1: 4 | FileHash-SHA256: 6 | URL: 4 | Domain: 1 | Email: 2\r\nThe report analyzes the Phorpiex botnet's role in delivering LockBit Black Ransomware. It highlights the\r\nautomated execution of ransomware through Phorpiex, minimal changes to the botnet's code since its source code\r\nsale in 2021, and direct deployment of LockBit without network expansion. The analysis covers the infection\r\nflow, phishing emails, and technical details of different Phorpiex variants. Key features include URL cache\r\ndeletion, library obfuscation, indicator removal, and persistence mechanisms. The report also provides a\r\ncomparative analysis of LockBit, GandCrab, and TWIZT downloader variants, along with IOCs and MITRE\r\nATT\u0026CK mapping.\r\n373,196 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:GandCrab\r\nPage 3 of 10\n\nRansomware Indicators of Compromise (IOC) Feed - PrecisionSec\r\nFileHash-MD5: 10 | FileHash-SHA1: 9 | FileHash-SHA256: 9\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:GandCrab\r\nPage 4 of 10\n\nPrecisionSec is the world’s leading cyber security firm and is offering a 30-day free trial of malware detection and\r\nblocking the most prolific and dangerous threat in today's landscape, including ransomware.\r\n0 Subscribers\r\nAuthor Url\r\nAiming at domestic government and enterprises! Deeply revealed ransomware operator Rast\r\ngang\r\nFileHash-MD5: 10 | FileHash-SHA1: 5 | FileHash-SHA256: 5 | Email: 12\r\nA new ransomware threat, dubbed Rast, has emerged targeting Chinese government and enterprises since\r\nDecember 2023. Written in Rust, Rast has infected over 6,800 terminals, successfully encrypting more than 5,700.\r\nThe Rast gang, named after the ransomware, operates primarily between 20:00 and 05:00, suggesting a European\r\nbase. Their attack method involves RDP brute-forcing and exploiting Nday vulnerabilities to access border\r\nservers, followed by manual deployment of ransomware components. The gang's tactics are reminiscent of\r\noperators distributing Buran, GlobeImposter, Phobos, and GandCrab ransomware. Rast ransomware has evolved\r\nthrough three versions, with the latest requiring manual operation via a console interface. Victim information is\r\nuploaded to a MySQL database, revealing a wide range of affected sectors including government, finance, and\r\nvarious industries.\r\n373,196 Subscribers\r\n1,582 Subscribers\r\nGlobal- Injection | Phone service modification campaign - Cryprsoft\r\nFileHash-MD5: 626 | FileHash-SHA1: 539 | FileHash-SHA256: 1335 | SSLCertFingerprint: 2 | URL: 220 |\r\nDomain: 501 | Email: 4 | Hostname: 617\r\nMalicious» http://www.forensickb.com/2013/03/file-entropy-explained.html | Cryptsoft | ET ,\r\nVirus:Win32/Sality.AT , Win32:Kukacka , TrojanSpy:Win32/Nivdort.AJ , Worm:Win32/Mydoom.O!backdoor ,\r\nWorm:Win32/Bloored , TrojanSpy:Win32/Invader.S!MSR , Text: Mydoom spreading via SMTP 29\r\n192.168.56.110 198.133.159.125 2018340 ET TROJAN Win32.Sality-GR Checkin 192.168.56.110 52.28.249.128\r\n2018340 ET TROJAN Win32.Sality-GR Checkin 192.168.56.110 166.78.145.90 2016803 ET TROJAN Known\r\nSinkhole Response Header 166.78.145.90 192.168.56.110 2018 ATT\u0026CK | Query Registry , Modify Existing\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:GandCrab\r\nPage 5 of 10\n\nService , Scheduled Task/Job , Process Injection , Registry Run Keys / Startup Folder , System Information\r\nDiscovery , Disabling Security Tools , Modify Registry\r\n224 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:GandCrab\r\nPage 6 of 10\n\nurlhaus.abuse.ch\r\nCVE: 9 | FileHash-MD5: 3 | FileHash-SHA1: 8 | URL: 7927 | Domain: 119 | Hostname: 162\r\n1 Subscribers\r\n224 Subscribers\r\nAT\u0026T • Ransom:Win32/GandCrab.AE\r\nFileHash-MD5: 231 | FileHash-SHA1: 217 | FileHash-SHA256: 1628 | URL: 298 | Domain: 1047 | Email: 7 |\r\nHostname: 877\r\n*Edit: I meant to mean at\u0026t may be unaware despite reported outage. My AT\u0026T study is private and researched\r\nfrom corporate device. GandCrab : GandCrab was a Ransomware-as-a-Service (RaaS). GandCrab Ransomware is\r\na ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the\r\nuser does not cooperate the files are forever lost.In many instances, files are encrypted to control, spy, monitor dns\r\ntraffic, download other malware, spy on targets, modify, delete, write on victims devices going undetected.\r\n218 Subscribers\r\nAT\u0026T • Ransom:Win32/GandCrab.AE\r\nFileHash-MD5: 231 | FileHash-SHA1: 217 | FileHash-SHA256: 1628 | URL: 298 | Domain: 1047 | Email: 7 |\r\nHostname: 877\r\nGandCrab : GandCrab was a Ransomware-as-a-Service (RaaS). GandCrab Ransomware is a ransomware is a\r\nmalware that asks the victim to pay money in order to restore access to encrypted files. If the user does not\r\ncooperate the files are forever lost.In many instances, files are encrypted to control, spy, monitor dns traffic,\r\ndownload other malware, spy on targets, modify, delete, write on victims devices going undetected.\r\n218 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:GandCrab\r\nPage 7 of 10\n\nAT\u0026T • Ransom:Win32/GandCrab.AE\r\nFileHash-MD5: 231 | FileHash-SHA1: 217 | FileHash-SHA256: 1628 | URL: 298 | Domain: 1047 | Email: 7 |\r\nHostname: 877\r\nGandCrab : GandCrab was a Ransomware-as-a-Service (RaaS). GandCrab Ransomware is a ransomware is a\r\nmalware that asks the victim to pay money in order to restore access to encrypted files. If the user does not\r\ncooperate the files are forever lost.In many instances, files are encrypted to control, spy, monitor dns traffic,\r\ndownload other malware, spy on targets, modify, delete, write on victims devices going undetected.\r\n218 Subscribers\r\nAT\u0026T • Ransom:Win32/GandCrab.AE\r\nFileHash-MD5: 231 | FileHash-SHA1: 217 | FileHash-SHA256: 1628 | URL: 298 | Domain: 1047 | Email: 7 |\r\nHostname: 877\r\n*Edit: I meant to mean at\u0026t may be unaware despite reported outage. My AT\u0026T study is private and researched\r\nfrom corporate device. GandCrab : GandCrab was a Ransomware-as-a-Service (RaaS). GandCrab Ransomware is\r\na ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the\r\nuser does not cooperate the files are forever lost.In many instances, files are encrypted to control, spy, monitor dns\r\ntraffic, download other malware, spy on targets, modify, delete, write on victims devices going undetected.\r\n218 Subscribers\r\n224 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:GandCrab\r\nPage 8 of 10\n\ntest\r\nFileHash-MD5: 231 | FileHash-SHA1: 217 | FileHash-SHA256: 1628 | URL: 298 | Domain: 1047 | Email: 7 |\r\nHostname: 877\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:GandCrab\r\nPage 9 of 10\n\n1 Subscribers\r\n224 Subscribers\r\n218 Subscribers\r\n218 Subscribers\r\nOutbreak | https://www.hybrid-analysis.com/\r\nCVE: 10 | FileHash-MD5: 563 | FileHash-SHA1: 312 | FileHash-SHA256: 2529 | URL: 2817 | Domain: 481 |\r\nHostname: 818\r\nI'm being redirected. I'm not sure what if Hybrid Analysis is attacked. It's more likely I'm under attack and being\r\nredirected or Hybrid Analysis is an unsafe site.\r\n218 Subscribers\r\nSource: https://otx.alienvault.com/browse/pulses?q=tag:GandCrab\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:GandCrab\r\nPage 10 of 10\n\nRansomware Indicators of https://otx.alienvault.com/browse/pulses?q=tag:GandCrab Compromise (IOC) Feed - PrecisionSec\nFileHash-MD5: 10 | FileHash-SHA1: 9 | FileHash-SHA256:  9\n   Page 4 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://otx.alienvault.com/browse/pulses?q=tag:GandCrab"
	],
	"report_names": [
		"pulses?q=tag:GandCrab"
	],
	"threat_actors": [],
	"ts_created_at": 1775434573,
	"ts_updated_at": 1775791290,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/55d358d1997b81dc2b2545d7857539d4a4446dbc.pdf",
		"text": "https://archive.orkl.eu/55d358d1997b81dc2b2545d7857539d4a4446dbc.txt",
		"img": "https://archive.orkl.eu/55d358d1997b81dc2b2545d7857539d4a4446dbc.jpg"
	}
}